Professional Documents
Culture Documents
on Security
for the Board
April 2023 – Edition 1
April 2023
For more information, visit gcat.google.com
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
Table of contents
Foreword 03
Conclusion 09
2
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
Foreword
As a Board Member and a CISO, we frequently questions about technology and digital capability, not
engage with company leadership across sectors just review what are often lagging indicators of cyber
on cybersecurity and technology risk. In these performance.
engagements, it is clear that cyber is top of mind for
every organization. To help with this effort, we’re releasing the first
edition of the Google Cybersecurity Action Team’s
As such, we thought it would be timely to share our Perspectives on Security for the Board report. This
perspective on how the Board can best address report series is intended to help Board members
cybersecurity and risk along with ways to take a more sharpen their cybersecurity knowledge – including
proactive role in these areas - now and in the future. how to address cyberattacks and understand how
One lesson we’ve learned is that Board awareness likely they are to impact their organization – and
and subsequent guidance in this area is absolutely prepare them for potential regulatory obligations.
critical to every organization’s long term success.
In this inaugural report, we (1) cover the Board’s roles
When we engage on these issues, Board members and responsibilities in cyber risk oversight; (2) provide
often ask: what types of conversations should we guidance on how Boards should navigate the cyber
be having about cybersecurity and what types of threat landscape; and (3) explain how Boards should
questions do we need to be asking our C-Suite? engage on emerging issues surrounding artificial
The answer is that Boards should work to ensure intelligence (AI) and cybersecurity. We hope you find it
that security management teams inventory critical informative and look forward to connecting with you
assets and business processes, convey top risks more on these important topics.
and mitigations (and measure their success), and
communicate accepted residual risk. Above all, Betsy Atkins (Chairman, Google Cloud Advisory Board)
Boards, CEOs and other executives should ask probing Phil Venables (CISO, Google Cloud)
3
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
4
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
effective cyber risk oversight: 1) get educated; 2) be • Invite the CISO to strategy discussions on broader
engaged; and 3) stay informed. business and technology decisions.
• Schedule regular deep dives with the CISO, CIO,
First, Boards should get educated about key topics
CTO on risk priorities, budgets, and long-term
to ensure that cyber and broader technology risk
planning.
is embedded in operational risk and strategic
discussions and organizational decisions. This Third, Boards should stay informed about ongoing
includes understanding the impact cyber has on reporting activities, ask questions, and work with
risk management and resiliency frameworks. It also the CISO and other leaders to understand cyber
includes the Board of directors playing an integral role risk metrics. Boards should strive to create a robust
in overseeing any organization’s cloud-enabled digital feedback loop that encourages frank dialogue,
transformation. informed decision making, and continuous risk
management, in line with good practices for
Putting this in action operational risk management. Boards should also stay
• Assess Board structure and expertise; consider your engaged with relevant external organizations (like
committees and see which one is most appropriate Google) to stay informed of the latest cybersecurity
to oversee this risk. trends and practices. .
5
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
6
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
• How resilient are we? Boards should ask the In today’s threat environment, cybersecurity teams
CISO about how prepared your organization is to are under tremendous pressure to protect their
keep the business running through an event like a organizations from a variety of threats. For Boards,
ransomware attack. This is similar to planning for this means asking the right questions to ensure that
an earthquake or other disaster, and can involve relevant intelligence gets to the right stakeholders to
scenarios like operating off the Internet, restoring drive optimal cybersecurity and business decisions.
data back ups, etc. One way to assess resilience Boards can also work with the CISO to bring external
preparedness is to ask the CISO to conduct periodic cybersecurity partners like Google to the table to
cyber resilience exercises like a ransomware attack help translate frontline intelligence into actionable
to test organizational response. information.
• What is our risk? At a minimum, Boards should
ensure that the CISO’s risk management framework
addresses five key areas: 1) an assessment
of current threats to your organization; 2) an
explanation of what the cybersecurity leadership is
doing to mitigate against those threats; 3) examples
of how the CISO is testing whether mitigations are
working; 4) an assessment of the consequences if
those threats actually happen; and 5) an assessment
of risks that you aren’t going to mitigate, but will
otherwise accept. One way to get to the bottom of
this is to ask the CISO to present on this topic to the
full Board roughly twice a year.
7
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
8
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
Third, the Board should work with the CISO to Together, our approach reinforces a continuous cycle
stay informed on developments in this space where frontline intelligence meets AI-powered
to anticipate threats. We operate from the basic cloud innovation. We’ll continue to explore these topics
assumption that attackers will seek out these in future Board Horizons reports.
technologies and attempt to use them to circumvent
defenses, and we’re building towards that future state.
Conclusion
Cybersecurity can be a challenging topic for Boards to oversee. To help address this challenge, Boards should
adopt three principles for effective cyber risk oversight: 1) get educated; 2) be engaged; and 3) stay informed.
This approach–coupled with a strong relationship with the CISO and technology, business, and compliance
stakeholders–will help foster greater transparency and collaboration between Boards and company leaders.
Moving forward, it is clear that Board awareness and subsequent guidance in this area is critical to every
organization’s long term success. At Google Cloud, we look forward to working with you towards that goal.
Please click here for more information.
Check out our Board of Directors Insights Hub for more actionable cybersecurity resources.
9
Perspectives on Security for the Board: Edition 1
For more information, visit gcat.google.com
• What is our AI investment plan, and what are our plans • How are we using current threat intelligence to inform
to deploy AI securely? decisions?
• How are we preparing to manage data responsibilities • How are we testing our defenses? Do we conduct
with AI systems and what steps do we need to take to red team and tabletop exercises?
address them?
• What role will AI play in enhancing our cybersecurity
capabilities? Ensure you have a plan to protect users from
common attacks. Phishing is one of the most
common ways that attackers breach organizations.
Work with the CISO to better understand
They will also use techniques to bypass multi-
attackers and what they are after. Ransomware
factor authentication and abuse identity systems.
is a financially motivated extortion attack we
don’t see slowing down anytime soon. All Ask your CISO:
organizations are at risk and need to be ready. • What can our security, IT and business teams be doing
to protect all employees?
Ask your CISO:
• How are we minimizing the risk of social engineering
• What data and assets are most important to our organization, threats from reaching our employees?
and are they secure?
• How do we make our employees aware of phishing and
• Do we have a backup strategy if an attacker were to steal and other social engineering?
prevent access to our data?
• What is our strategy around adoption of phishing
• Have we performed ransomware defense assessments to resistant hardware/tokens?
test our ability to detect and respond to financial threats?
10